pam_authz(5)pam_authz(5)NAMEpam_authz - PAM module that provides user authorization
SYNOPSISDESCRIPTION
The service module for PAM, provides functionality which allows the
administrator to control who can login to the system based on informa‐
tion found in the file or the access rules that are defined in the
access policy file
By default, has been created to provide access control similar to the
filtering feature that is performed by NIS. is intended to be used
when NIS is not used, such as when the or authentication modules are
used. Because does not provide authentication, it does not verify if a
user account exists.
also broadens its ability to define host and service access management
policy. supports a local access policy file, which allows you to
define access rules based on a variety of information. or access rules
can be defined base on LDAP X.500 style groups, regular POSIX groups,
filters and individual users. To activate this feature, create a file
under
provides an interface for all four PAM components: authentication,
account management, session management and password management. How‐
ever, only the account management components need to be configured.
The PAM components for session management and password management are
NULL functions. These components always return
The library is a shared object that can be dynamically loaded to pro‐
vide the necessary functionality upon demand. Its path is specified in
the PAM configuration file.
Authentication and Account Managment Modules
The authentication component does not provide authentication. Instead,
it provides authorization via is intended to be used as a supplementary
module along with other authentication modules, where another module is
used to verify user identities, while is used to verify user access
rights. is intended to be used when the list of users that are allowed
to gain access to a system is a subset of the users that are stored in
a large repository (such as an LDAP directory server, or other data‐
base.)
Because provides authorization only, not authentication, it is highly
recommended that is set to in the configuration file (see pam.conf(4)).
Typically is configured as the module under the account management sec‐
tion of the file.
However, for PAM applications that neglect to call the PAM account man‐
agement procedure, may also be configured as an authentication module.
When is configured as an authentication module, at least one other PAM
module must be set to to authenticate a user.
Without the access policy file use (see netgroup(4)) and the file to
determine user access rights, using a similar syntax as was defined by
NIS. However, does not support the password entry filtering syntax as
defined by NIS, other than to determine if a member should be granted
(or denied) access based on if the password field is blocked or not.
scans the file for the matching NIS style entry and returns grant or
deny access based on the first rule that matches the account in ques‐
tion. For example, will grant or deny access when the following
entries are defined in the file:
Grants access to all the users in the database.
Grants access to all members of the network group
name.
Grants access to user
name.
Denies access to all members of the network group
name.
Denies access to user
name.
Denies access to all members of the network group
name.
Denies access to user
name.
Please refer to passwd(4) for a sample file.
With the access policy file, would use the file to help to determine
which users may login. Each access rule in the access policy file will
be evaluated until an authorative rule is found. An authorative rule
is the first access rule that matches user's login name. returns or
access based on the information of the authorative rule. If an author‐
ative rule is not found, users will be denied to log in.
Access rules are the basic elements of an access policy. A "policy" is
the collection of these different sets of access rules in a given
order. An access rule consists of three fields.
where the following means:
action The action field defines the access permission if an access
rule evaluated to be true. There are two possible values in
this field:
login authorization is granted
login authorization is restricted
type The value in the type field represents the source of the
information. It signifies the kinds of user information that
should look for. The value also helps to determine the cor‐
rect syntax in the following object field. The following
values are supported:
Type Usage
Control the access permission by comparing a user's login
name with a list
of users names in object field.
Control the access permission by examining user's posix group
membership.
A list of Unix POSIX group is specified
in the object field. retrieves the group
information of each listed group by
querying the name services specified in
Control the access permission by examining user's
membership. A list of names is specified
in the object field. obtains the infor‐
mation by querying the name services that
are specified in the
Control the access permission by examining user's non-posix‐
group membership.
supports X.500 style group with or
objectclass. retrieves group membership
of each listed group from the directory
server through the LDAP-UX client.
Control the access permission by examining user's role in the
organization.
queries user ldap information by using
the provided ldap filter.
The access rule serves as a wild card rule.
Use this rule to or access permission to
all users.
object The values in the object field define the criteria that need
to be validated with the login name. The following table
provides a summary of all possible values and syntax of
object field.
Type Object
This field contains a list of usernames.
Each value (username) is a character
string that is separated by a comma sepa‐
rator, ASCII 2C HEX. Multi-valued field.
This field contains a list of unix group names.
Each value (group name) is a character
string that is separated by a comma sepa‐
rator, ASCII 2C HEX. Multi-valued field.
This field contains a list of
names. Each value (group name) is a
character string that is separated by a
comma separator ASCII 2C HEX. Multi-val‐
ued field.
This field contains a distinguished name (DN) of an
LDAP group (non-Posix group) with object‐
class or objectclass. Syntax of DN is
defined in RFC2253. Single-valued field.
No separator is required. Only one dis‐
tinguished name is allowed.
In access rules, this field contains a
single search filter that specifies one
or more pairs. Syntax of string search
filter is defined in RFC2254 Single-val‐
ued field. No separator is required.
Only one search filter is allowed.
Here is an example of access rules in
The following options may be passed to the service module:
debugging information at level.
Turn off warning messages.
This option is ignored.
This option is ignored.
The function sets user specific credentials. In the case of pam_authz,
this is a NULL function.
Session Management Module
The session management component provides functions to initiate and
terminate sessions. For is a NULL function. The following options may
be passed in to the service module:
debugging information at level.
Turn off warning messages.
is a NULL function.
Password Management Module
The password management component provides a function to change pass‐
words In the case of the module is a NULL function. The following
options may be passed in to the pam_authz service module:
debugging information at level.
Turn off warning messages.
This option is ignored.
This option is ignored.
EXAMPLES
The following is a sample configuration file. Lines that begin with
the symbol are treated as comments, and therefore ignored.
#
# PAM configuration
#
# Authentication management
#
login auth required libpam_hpsec.so.1
login auth sufficient libpam_unix.so.1
login auth required libpam_ldap.so.1 try_first_pass
OTHER auth required libpam_hpsec.so.1
OTHER auth sufficient libpam_unix.so.1
OTHER auth required libpam_ldap.so.1 try_first_pass
#
# Account management
#
login account required libpam_hpsec.so.1
login account sufficient libpam_unix.so.1
login account required libpam_ldap.so.1
OTHER account required libpam_hpsec.so.1
OTHER account sufficient libpam_unix.so.1
OTHER account required libpam_ldap.so.1
#
# Session management
#
login session required libpam_hpsec.so.1
login session sufficient libpam_unix.so.1
login session required libpam_ldap.so.1
OTHER session required libpam_hpsec.so.1
OTHER session sufficient libpam_unix.so.1
OTHER session required libpam_ldap.so.1
#
# Password management
#
login password required libpam_hpsec.so.1
login password sufficient libpam_unix.so.1
login password required libpam_ldap.so.1 try_first_pass
OTHER password required libpam_hpsec.so.1
OTHER password sufficient libpam_unix.so.1
OTHER password required libpam_ldap.so.1 try_first_pass
SEE ALSOpam(3), pam_authenticate(3), pam_setcred(3), syslog(3C), netgroup(4),
pam.conf(4), pam_user.conf(4), passwd(4), ldapux(5), pam_krb5(5),
pam_ldap(5).
pam_authz(5)